We’re in the middle of conference season, and our teams have been talking to customers and partners, showcasing the GreyMatter security operations platform, and sharing their expertise in panels and presentations.
There has never been a more complex and challenging time to be part of the cybersecurity industry. With AI fueling faster and more effective attacks, increasing data sprawl, and ongoing changes in the cyber technology landscape, improving the analyst experience and giving them the ability to do more impactful investigations has immense benefits to cybersecurity teams and their organizations. By removing mundane tasks and automating Tier 1 investigations, AI makes investigations more efficient and adds in business context, enabling security teams to respond more quickly and effectively.
Where the SecOps Industry Is Heading
Balancing Threat Intel, DRP, and TDIR for Proactive SecOps
Effective security operations requires three primary functions: threat intelligence, like CVEs and threat actor tactics; digital risk protection (DRP), including brand protection and attack surface management; and threat detection, investigation, and response (TDIR).
Depending on where you are in your SecOps maturity journey, you may find yourself focused on one function over the others, which can lead to gaps:
- Organizations that focus too much on TDIR tend not to have the proper insight into potential threats, instead reacting to them as they arise.
- Conversely, organizations that consume too much intel struggle to operationalize it as they navigate the noisy world of intel and vulnerability updates.
Silos between teams also make it harder to operationalize threat intelligence, risk protection, and TDIR. SecOps needs to collaborate to bring them together and find the balance that works for their needs.
We recognize these challenges well. We built our security operations platform, GreyMatter, to help our customers combine these three components. As a result, they see faster mean times to contain and resolve, get a complete understanding of their attack surface, and protect their organization and its assets.
Scaling Security Operations: Slow Down to Speed Up
Scaling security operations is more critical than ever. Attacks are growing faster and more effective as threat actors use AI and automation to their advantage.
Counterintuitively, to scale faster, it’s best to start small. Instead of scaling a function or a role, take a granular approach.
For example, if you’re seeing long response times in your SOC, your first instinct may be to hire more analysts. But if there are inefficiencies in the analysts’ workflows, additional headcount won’t address the root of the problem. Instead, slow down and examine the steps of the workflow you want to speed up and look for ways to implement improvements—potentially through automation or generative AI.
During this process, keep in mind that AI and automation have different applications: Automation is best suited for repetitive, low-risk tasks like resetting user credentials, whereas AI can provide analysts with clear event summaries to speed investigation and recommend next steps, or in some cases take pre-prescribed actions.
Taking a practical approach to security automation and other methods of workflow improvement can help you quickly mature your security program.
Enabling SOC Analysts with Generative AI
Generative AI can help us bridge the cybersecurity skills gap. In addition to helping scale workflows, it can also scale people. What once took an analyst hours, like writing incident reports, can be done by AI, saving the analyst from low-brain, high-time activity and allowing them more time to improve their skills.
In addition, AI can take up some of the slack while new, entry-level analysts are trained, which lowers the barrier of entry for SOC analyst roles. For example, AI can help analysts quickly understand product functions and internal processes, getting them up to speed faster.
AI is woven throughout the capabilities within GreyMatter, putting information front and center to provide analysts with the details they need to make quick, effective decisions and then turn their time toward getting better.
We believe AI is best used in tandem with automation. In our annual threat report, we found that our customers who have fully embraced them both have cut their mean times to resolve from hours to under 7 minutes.
What Customers Want to Leave Behind
Speeding Containment with Automated Response Plays
Our customers are turning to automation to address Tier 1 and Tier 2 tasks to enhance analyst quality of life.
Over the last year, we’ve seen dramatic growth in the use of automated response plays (ARP) within GreyMatter. For example, in the event of a phishing attack, customers can run an ARP to temporarily lock a user account, block the malicious URL and domain, reset user credentials, and isolate any affected systems, speeding containment to a matter of minutes, all while sparing analysts the manual effort.
Moving Away from the “Black Box”
Our customers are growing frustrated with some vendors’ “black box” approach, which hinders their ability to customize detections and log custom applications and completely disables them from searching their own data.
Instead of collecting customer data into a single place, GreyMatter accesses it where it lives, across a customer’s existing toolset. Its bi-directional APIs access tools in real time to pull the data it needs to perform detection, investigation, and response. AI then synthesizes the findings so analysts have what they need up front to make quick decisions.
Increasing Usage of the GreyMatter Mobile App
We’ve had many conversations around the improvements we’ve made to our GreyMatter mobile app. With the app, security team members can receive full-context alerts, assign tasks to team members, and initiate automated response plays.
Conclusion
The ongoing evolution in the SecOps landscape emphasizes the importance of balancing threat intelligence, digital risk protection, and threat detection, investigation, and response. By integrating automation and AI, security operations teams can scale more efficiently, improve analyst workflows, and enhance overall security posture.
At ReliaQuest, we are committed to empowering security teams with our GreyMatter platform, designed to combine these critical components and provide actionable insights. Our customers are already experiencing faster containment times, improved efficiency, and better protection for their organizations.
A big thank-you to everyone who has said hello at conferences so far. We’re gearing up for Black Hat next, so if you’re going, swing by booth #1650 to get a live look at GreyMatter, our mobile app, and more.
